[ Back to Mike's main site ]

> Thesis (pdf)

> Taxonomy (online)

> Java Test Cases

> FindBugs Detectors (fb4sec)

Updated: 12.04.08

SSE at James Madison University

Writing Secure Java Code:
A Taxonomy of Heuristics and an Evaluation of Static Analysis Tools

May 2008

The software security community is currently emphasizing the development of secure coding standards and their automated enforcement using static analysis techniques. Unlike languages such as C and C++, a secure coding standard for the Java programming language does not exist. In this thesis, a comprehensive collection of coding heuristics for writing secure code in Java SE 6 are organized into a taxonomy according to the design principles they help to achieve. By mapping secure coding heuristics to design principles, the goal is to help developers become more aware of the quality and security-related design problems that arise when specific coding heuristics are violated. The taxonomy’s design-driven methodology also aims to make understanding, applying, and remembering both design principles and coding heuristics easier. To determine how well the collection of secure coding heuristics can be enforced using static analysis techniques, eight tools are subjected to 72 test cases that comprise a total of 115 distinct coding heuristic violations. A significant number of serious violations, some of which make attacks possible, were not identified by any tool. Even if all of the tools were combined into a single tool, more than half of the violations included in the study would not be identified.

Click here to view my taxonomy.
Click here to download secure coding custom detectors that I wrote for FindBugs.

I included the following tools in the static analysis study:
I also invite you to check out the Secure Software Engineering graduate program at JMU.
Copyright © 2008 Michael S. Ware